International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2012-12-19
17:36 [Job][New] Post-doc (three posts), Centre for Cybercrime and Computer Security, Newcastle University, UK, EU

  You will join a vibrant and growing team of security researchers at the Centre for Cybercrime and Computer Security (CCCS) at Newcastle University. The aim of the project is to address one of the grand challenges in the real world: how to develop an e-voting system that is secure, dependable and usable for future elections.

This is a five-year project, supported by the European Research Council (ERC) Starting Grant. The initial appointments will be three years. Further extension by another two years will be possible subject to the performance and available funding. The expected starting date is 1 March, 2013 (flexible)

To apply for the posts, you need to have a PhD in Computer Science, engineering or related discipline, with a solid background in security and an excellent track record. Expertise in one of the following areas is especially desirable: cryptography, dependability and usable security.



12:54 [Job][Update] PostDoc in Cryptography, University of Bristol, UK, EU

  The Cryptography group within the Department of Computer Science has grown considerably in the last year and additional researchers are required in the following areas:

  • Analysis of “real world” protocols

  • Formal Methods applied to security protocols

  • Fully Homomorphic Encryption

  • Lattice Based Cryptography

  • Provable Security, i.e. Protocol and Mechanism design

  • Multi-Party Computation

You will hold a PhD, or expect to be awarded soon, and have experience in one of the sub-areas of cryptography mentioned above.

You will have a good level of analytical skills and the ability to communicate complex information clearly, both orally and through the written word together with the ability to use personal initiative, and creativity, to solve problems encountered in the research context.

Ideally, you will also have a strong publication record in top relevant venues, such as the IACR conferences and journal, ACM-CCS, IEEE S&P, ESORICS, etc

Appointment may be made at the Research Assistant (grade I) or Research Associate (grade J) level depending on skills and experience and will be for 2 to 3 years in the first instance.

Please Note: This is a “rolling advert” with a nominal close date only. Applications are welcome at any time and the timing of the selection process will be dependent on the applications received.



12:53 [Job][New] PostDoc in Cryptography, University of Bristol

  The Cryptography group within the Department of Computer Science has grown considerably in the last year and additional researchers are required in the following areas:

  • Analysis of “real world” protocols

  • Formal Methods applied to security protocols

  • Fully Homomorphic Encryption

  • Lattice Based Cryptography

  • Provable Security, i.e. Protocol and Mechanism design

  • Multi-Party Computation

You will hold a PhD, or expect to be awarded soon, and have experience in one of the sub-areas of cryptography mentioned above.

You will have a good level of analytical skills and the ability to communicate complex information clearly, both orally and through the written word together with the ability to use personal initiative, and creativity, to solve problems encountered in the research context.

Ideally, you will also have a strong publication record in top relevant venues, such as the IACR conferences and journal, ACM-CCS, IEEE S&P, ESORICS, etc

Appointment may be made at the Research Assistant (grade I) or Research Associate (grade J) level depending on skills and experience and will be for 2 to 3 years in the first instance.

Please Note: This is a “rolling advert” with a nominal close date only. Applications are welcome at any time and the timing of the selection process will be dependent on the applications received.





2012-12-18
14:23 [Event][New] Vote-ID '13: Fourth international conference on E-voting and Identity

  Submission: 11 March 2013
Notification: 26 April 2013
From July 17 to July 19
Location: Guildford, UK
More Information: http://www.voteid13.org


13:17 [Pub][ePrint] Recovering RSA Secret Keys from Noisy Key Bits with Erasures and Errors, by Noboru Kunihiro and Naoyuki Shinohara and Tetsuya Izu

  We discuss how to recover RSA secret keys from noisy key bits with erasures

and errors.

There are two known algorithms recovering original secret keys from noisy

keys.

At Crypto 2009, Heninger and Shacham proposed a method for the case

where an erroneous version of secret keys contains only erasures.

Subsequently, Henecka et al. proposed a method

for an erroneous version containing only errors at Crypto2010.

For physical attacks such as side-channel and cold boot attacks,

we need to study key recovery from a noisy secret key containing both erasures

and errors.

In this paper, we propose a method to recover a secret key from such an

erroneous version

and analyze the condition for error and erasure rates so that

our algorithm succeeds in finding the correct secret key in polynomial time.

We also evaluate a theoretical bound to recover the secret key

and discuss to what extent our algorithm achieves this bound.



13:17 [Pub][ePrint] Cryptanalysis of RAPP, an RFID Authentication Protocol, by Nasour Bagheri, Masoumeh Safkhani, Pedro Peris-Lopez, Juan E. Tapiador

  Tian et al. proposed a novel ultralightweight

RFID mutual authentication protocol [4] that has recently

been analyzed in [1], [2], [5]. In this letter, we first propose

a desynchronization attack that succeeds with probability

almost 1, which improves upon the 0.25 given by the attack

in [1]. We also show that the bad properties of the proposed

permutation function can be exploited to disclose several

bits of the tag\'s secret (rather than just one bit as in [2]),

which increases the power of a traceability attack. Finally,

we show how to extend the above attack to run a full

disclosure attack, which requires to eavesdrop less protocol

runs than the attack described in [5] (i.e., 192

13:17 [Pub][ePrint] Profiled Model Based Power Simulator for Side Channel Evaluation, by Nicolas Debande and Maël Berthier and Yves Bocktaels and Thanh-Ha Le

  An embedded cryptographic device performs operation on sensitive data and as such, is vulnerable to side-channel attacks.

This forces smart-card manufacturers to carefully consider development of security mechanisms.

To accelerate this procedure, the use of power and electromagnetic simulator can be relevant and saves non negligible time.

Based on a high level simulator, we propose to use profiled abstract models to gain accuracy on the simulated traces.

These abstract models are obtained by profiling some parts of the target device which is physically available by the evaluator.



13:17 [Pub][ePrint] On the Non-malleability of the Fiat-Shamir Transform, by Sebastian Faust and Markulf Kohlweiss and Giorgia Azzurra Marson and Daniele Venturi

  The Fiat-Shamir transform is a well studied paradigm for removing interaction from public-coin protocols. We investigate whether the resulting non-interactive zero-knowledge (NIZK) proof systems also exhibit non-malleability properties that have up to now only been studied for NIZK proof systems in the common reference string model: first, we formally define simulation soundness and a weak form of simulation extraction in the random oracle model (ROM). Second, we show that in the ROM the Fiat-Shamir transform meets these properties under lenient conditions.

A consequence of our result is that, in the ROM, we obtain truly efficient non malleable NIZK proof systems essentially for free. Our definitions are sufficient for instantiating the Naor-Yung paradigm for CCA2-secure encryption, as well as a generic construction for signature schemes from hard relations and simulation-extractable NIZK proof systems. These two constructions are interesting as the former preserves both the leakage resilience and key-dependent message security of the underlying CPA-secure encryption scheme, while the latter lifts the leakage resilience of the hard relation to the leakage resilience of the resulting signature scheme.



13:17 [Pub][ePrint] Why \"Fiat-Shamir for Proofs\" Lacks a Proof, by Nir Bitansky and Sanjam Garg and Daniel Wichs

  The Fiat-Shamir heuristic (CRYPTO \'86) is used to convert any 3-message public-coin proof or argument system into a non-interactive argument, by hashing the prover\'s first message to select the verifier\'s challenge. It is known that this heuristic is sound when the hash function is modeled as a random oracle. On the other hand, the surprising result of Goldwasser and Kalai (FOCS \'03) shows that there exists a computationally sound argument on which the Fiat-Shamir heuristic is never sound, when instantiated with any actual efficient hash function.

This leaves us with the following interesting possibility: perhaps there exists a hash function that securely instantiates the Fiat-Shamir heuristic for all 3-message public-coin statistically sound proofs, even if it can fail for some computationally sound arguments. Indeed, the existence of such hash functions has been conjectured by Barak, Lindell and Vadhan (FOCS \'03), who also gave a seemingly reasonable and sufficient condition under which such hash functions exist. However, we do not have any provably secure construction of such hash functions, under any standard assumption such as the hardness of DDH, RSA, QR, LWE, etc.

In this work we give a broad black-box separation result, showing that the security of such hash functions cannot be proved under virtually any standard cryptographic assumption via a black-box reduction.



13:17 [Pub][ePrint] On the (In)security of the Fiat-Shamir Paradigm, Revisited, by Dana Dachman-Soled and Abhishek Jain and Yael Tauman Kalai and Adriana Lopez-Alt

  The Fiat-Shamir paradigm [CRYPTO\'86] is a heuristic for converting 3-round identification schemes into signature schemes, and more generally, for collapsing rounds in public-coin interactive protocols. This heuristic is very popular both in theory and in practice, and many researchers have studied its security (and insecurity).

In this work, we continue this study. As our main result, we show that for many well studied interactive *proofs* (and arguments) the soundness of the Fiat-Shamir heuristic cannot be proven via a black-box reduction to any falsifiable assumption. Previously, the insecurity of this paradigm was exemplified only when applied to interactive arguments (as opposed to proofs).

Using similar techniques, we also show a black-box impossibility result for Micali\'s CS-proofs [FOCS\'94]. Namely, we prove that there exist PCPs such that for \"sufficiently hard\'\' NP languages, Micali\'s CS-proof cannot be proven sound via black-box reduction to any falsifiable assumption.

These results are obtained by extending the impossibility of two-message zero knowledge protocols due to Goldreich and Oren [J. Cryptology\'94].



13:17 [Pub][ePrint] Cryptanalysis of WIDEA, by Gaëtan Leurent

  WIDEA is a family of block ciphers designed by Junod and Macchetti in

2009 as an extension of IDEA to larger block sizes (256 and 512 bits for

the main instances WIDEA-4 and WIDEA-8) and key sizes (512 and 1024

bits), with a focus on using them to design a hash function. WIDEA is

based on the trusted IDEA design, and was expected to inherit its good

security properties. WIDEA-w is composed of w parallel copies of the

IDEA block cipher, with an MDS matrix to provide diffusion between them.

In this paper we present low complexity attacks on WIDEA based on

truncated differentials. We show a distinguisher for the full WIDEA

with complexity only 2^65, and we use the distinguisher in a

key-recovery attack with complexity w·2^68. We also show a collision

attack on WIDEA-8 if it is used to build a hash function using the

Merkle-Damgård mode of operation.

The attacks exploit the parallel structure of WIDEA and the limited

diffusion between the IDEA instances, using differential trails where

the MDS diffusion layer is never active. In addition, we use structures

of plaintext to reduce the data complexity.